Every professional firm that handles client data has regulatory obligations for how that data is stored, retained, and protected. But for most small and mid-sized firms, the IT environment tells a very different story than the compliance policy on the shelf.
The Rules Are Clear. The Implementation Usually Isn't.
If you're a law firm, wealth management firm, or property management company, there's a regulatory body somewhere that has specific expectations for how you handle client records. Those expectations cover what you keep, how long you keep it, who can access it, and how you dispose of it when the time comes.
The American Bar Association's Model Rule 1.6(c) requires lawyers to make "reasonable efforts" to prevent unauthorized access to client information. State bar associations in most jurisdictions go further, defining retention periods for client files that typically range from five to ten years after a matter closes.
The IRS requires tax professionals to maintain client records for three to seven years depending on the document type, and the FTC's Safeguards Rule, which applies to all tax preparers, mandates a written information security plan that includes multi-factor authentication, access controls, encryption, and ongoing employee training. This isn't advisory language. The FTC has enforcement authority and has used it.
For wealth management firms, SEC Rules 17a-3 and 17a-4 and FINRA Rule 4511 define strict recordkeeping requirements covering everything from client correspondence to trade confirmations, with retention periods ranging from three to seven years depending on the record type. Records must be stored in a non-rewritable, non-erasable format for the duration of their retention period. In January 2025, the SEC charged twelve firms and levied $63.1 million in combined penalties for recordkeeping failures, primarily involving off-channel communications that weren't captured or preserved. Those firms included Blackstone, KKR, Apollo, Carlyle, and Charles Schwab.
Property management companies handling tenant PII, including Social Security numbers, bank account details, and lease agreements, face growing exposure under state data privacy laws that increasingly require documented data processing and retention controls.
The obligations are well documented. The problem is that most firms' IT environments weren't built to enforce them.
The Gap Between Policy and Practice
Most professional firms have some version of a data retention policy. It might be a few paragraphs in an employee handbook, a section in a compliance manual, or a standalone document drafted years ago when the firm was smaller.
But a policy is only as useful as the systems that enforce it. And in most small and mid-sized firms, the gap between the written policy and the actual IT environment is significant.
Client files live in a mix of locations: local hard drives, personal OneDrive folders, shared network drives with inconsistent permissions, email attachments, and occasionally in the cloud applications employees chose on their own. Nobody has a definitive map of where all client data actually resides, and the retention schedule exists on paper but isn't automated or enforced by any system.
When an employee leaves, their mailbox might get deleted within 30 days and their laptop might get wiped and reassigned. But the client records on that mailbox and that laptop? Whether they were preserved according to policy depends entirely on whether someone remembered to check.
When a legal hold comes through, requiring the firm to preserve all records related to a specific matter, the ability to execute that hold consistently across email, file shares, and cloud applications depends on having systems that support it. Most don't. According to the ABA's 2023 Cybersecurity TechReport, 29% of law firms experienced some form of security breach. The firms that discovered breaches during compliance reviews or litigation holds faced not only the original incident but also the question of whether their data handling met their regulatory obligations in the first place.
Where IT Usually Falls Short
The compliance gaps in professional services IT environments tend to cluster in the same areas:
Retention enforcement. The firm has a policy that says tax records are kept for seven years and client engagement files for ten. But the file server doesn't know that. Files sit indefinitely or get deleted when someone runs out of storage space. There's no automated system flagging records approaching their retention deadline or managing secure disposal when the period expires.
Access controls and audit trails. Regulators expect that client data is accessible only to authorized personnel and that access is logged. In practice, shared drives often have wide-open permissions, with every employee having access to every client folder. There's no audit trail showing who accessed what, which makes it impossible to demonstrate compliance during a review.
Legal hold execution. When litigation or a regulatory investigation triggers a preservation obligation, the firm needs to immediately suspend normal deletion policies for relevant records across all systems. Without centralized document management, executing that hold means sending an email asking everyone to "please don't delete anything related to the Smith matter," which is exactly the kind of informal process that courts and regulators have repeatedly found insufficient.
Email and communication preservation. This is where the largest fines have been levied. The SEC's recent enforcement actions focused specifically on firms whose employees used personal devices, text messages, and messaging apps for business communications that were never captured in the firm's recordkeeping system. The $63.1 million in penalties from the January 2025 action hit firms that acknowledged their personnel, including supervisors and senior managers, used unapproved channels for business communications that should have been preserved.
Backup integrity. IRS Publication 4557 explicitly states that tax professionals should back up encrypted copies of client data and keep them in a secure location. The FTC Safeguards Rule requires that customer information is protected against destruction or damage. But many firms run backups without encryption, without testing restores, and without confirming that the backup actually covers the systems where client data lives.
The Enforcement Landscape Is Tightening
This isn't a theoretical compliance risk. Enforcement activity across multiple regulators has increased meaningfully in the past two years.
The SEC has collected more than $2 billion in recordkeeping penalties since launching its off-channel communications initiative in 2021. The January 2025 round brought the total number of firms penalized to over sixty. FINRA has pursued parallel actions against broker-dealers for the same category of violations.
The FTC's updated Safeguards Rule, which took full effect in 2023, added specific technical requirements including MFA, encryption, and access logging that apply to every tax preparer in the country. The rule requires firms to designate a qualified individual responsible for overseeing the information security program and to conduct periodic risk assessments.
State data privacy laws continue to proliferate. Colorado's Privacy Act, which went into effect in 2024, requires businesses to implement reasonable data protection measures and creates enforcement authority for the state attorney general. For firms operating across multiple states, the patchwork of requirements adds another layer of obligation.
For firms handling audits, regulatory inquiries, or client disputes, the first question is increasingly not just "what happened?" but "can you produce the records to demonstrate what happened?" If the answer is no, the compliance failure becomes its own separate problem, sometimes carrying penalties larger than the original issue.
Closing the Gap
The good news is that these compliance gaps are fixable with the right planning and the right technology. A managed IT provider that understands regulatory requirements for professional services can assess where client data currently lives, map that against retention obligations, and build an environment that actually enforces the policies the firm already has on paper.
That typically means implementing centralized document management with automated retention schedules, configuring proper access controls and audit logging, establishing legal hold procedures that work across email and file systems, setting up encrypted and tested backup systems that cover all repositories where client data resides, and capturing business communications in channels the firm controls and can preserve.
The firms that handle compliance well aren't the ones with the longest policy documents. They're the ones whose IT was built to enforce those policies automatically, so compliance happens in the background rather than depending on someone remembering to follow a manual process.
If you're unsure whether your current IT environment supports your regulatory obligations, a Network Discovery is a practical starting point. It maps where your data lives, how it's protected, and where the gaps are between your policies and your infrastructure.
Ready to take the next step? Contact the Connecting Point team today to discuss your organization's needs.
Fill out our Network Discovery Form to get started!
970.356.7224 | www.CPcolorado.com | sales@CPcolorado.com
Connecting Point is a trusted IT solutions provider based in Greeley, Colorado, helping businesses across Northern Colorado and beyond navigate technology decisions with confidence.
